Reducing the Impact of DoS Attacks on Endpoint IP Security

Abstract

IP security is designed to protect hosts from attack, but can itself provide a way to overwhelm the resources of a host. One such denial of service (DoS) attack involves sending incorrectly signed packets to a host, which then consumes substantial CPU resources to reject unwanted traffic. This paper examines the impact of such attacks, and provides a preliminary exploration of ways to reduce their impact. Measurements of the impact of DoS attack traffic on times86-based hosts in FreeBSD indicate that a single DoS attacker can reduce throughput by half. This impact can be reduced to approximately 20% by layering low-effort nonce validation on IPsec's more CPU-intensive cryptographic algorithms, but the choice of algorithm does not have as large an effect. This work suggests that effective DoS resistance requires an hierarchical defense using both nonces and strong cryptography at the endpoints.